UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Oracle Database 11g Installation STIG


Overview

Date Finding Count (85)
2016-06-15 CAT I (High): 5 CAT II (Med): 67 CAT III (Low): 13
STIG Description
The Oracle Database 11g Installation Security Technical Implementation Guide (STIG) is published as a tool to improve the security of Department of Defense (DoD) information systems. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.stig_spt@mail.mil.

Available Profiles



Findings (MAC III - Administrative Sensitive)

Finding ID Severity Title
V-2608 High The Oracle Listener should be configured to require administration authentication.
V-3812 High Database account passwords should be stored in encoded or encrypted format whether stored in database objects, external host files, environment variables or any other storage locations.
V-15104 High Sensitive data served by the DBMS should be protected by encryption when transmitted across the network.
V-15636 High Passwords should be encrypted when transmitted across the network.
V-5658 High Vendor supported software is evaluated and patched against newly found vulnerabilities.
V-15658 Medium The DBMS warning banner should meet DoD policy requirements.
V-15110 Medium Use of the DBMS installation account should be logged.
V-15111 Medium Use of the DBMS software installation account should be restricted to DBMS software installation, upgrade and maintenance actions.
V-15116 Medium The DBMS host platform and other dependent applications should be configured in compliance with applicable STIG requirements.
V-6756 Medium Only necessary privileges to the host system should be granted to DBA OS accounts.
V-16032 Medium Remote administration should be disabled for the Oracle connection manager.
V-3497 Medium The Oracle Listener ADMIN_RESTRICTIONS parameter if present should be set to ON.
V-15118 Medium Remote administrative access to the database should be monitored by the IAO or IAM.
V-15652 Medium DBMS remote administration should be audited.
V-4754 Medium Database software directories including DBMS configuration files are stored in dedicated directories separate from the host OS and other applications.
V-15656 Medium The DBMS should not have a connection defined to access or be accessed by a DBMS at a different classification level.
V-3813 Medium DBMS tools or applications that echo or require a password entry in clear text should be protected from password display.
V-3811 Medium Procedures for establishing temporary passwords that meet DoD password requirements for new accounts should be defined, documented and implemented.
V-15122 Medium The database should not be directly accessible from public or unauthorized networks.
V-15131 Medium Sensitive information stored in the database should be protected by encryption.
V-15132 Medium Database data files containing sensitive information should be encrypted.
V-43137 Medium DBMS cryptography must be NIST FIPS 140-2 validated.
V-15179 Medium The DBMS should not share a host supporting an independent security service.
V-3827 Medium Audit trail data should be reviewed daily or more frequently.
V-57613 Medium A minimum of two Oracle redo log groups/files must be defined and configured to be stored on separate, archived physical disks or archived directories on a RAID device.
V-57611 Medium A minimum of two Oracle control files must be defined and configured to be stored on separate, archived physical disks or archived partitions on a RAID device.
V-15621 Medium Network access to the DBMS must be restricted to authorized personnel.
V-3440 Medium Connections by mid-tier web and application systems to the Oracle DBMS should be protected, encrypted and authenticated according to database, web, application, enclave and network requirements.
V-15608 Medium Access to DBMS software files and directories should not be granted to unauthorized users.
V-15126 Medium Database backup procedures should be defined, documented and implemented.
V-15620 Medium OS accounts used to execute external procedures should be assigned minimum privileges.
V-15651 Medium Remote DBMS administration should be documented and authorized or disabled.
V-15643 Medium Access to DBMS security data should be audited.
V-2422 Medium The DBMS software installation account should be restricted to authorized users.
V-15625 Medium Recovery procedures and technical system features exist to ensure that recovery is done in a secure and verifiable manner.
V-15105 Medium Unauthorized access to external database objects should be removed from application user roles.
V-15107 Medium DBMS privileges to restore database data or other DBMS configurations, features, or objects should be restricted to authorized DBMS accounts.
V-15106 Medium DBA roles should be periodically monitored to detect assignment of unauthorized or excess privileges.
V-2612 Medium Oracle SQLNet and listener log files should not be accessible to unauthorized users.
V-15102 Medium Automated notification of suspicious activity detected in the audit trail should be implemented.
V-16055 Medium Oracle Application Express or Oracle HTML DB should not be installed on a production database.
V-15109 Medium DBMS production application and data directories should be protected from developers on shared production/development DBMS host systems.
V-2423 Medium Database software, applications and configuration files should be monitored to discover unauthorized changes.
V-3806 Medium A baseline of database application software should be documented and maintained.
V-15140 Medium Procedures and restrictions for import of production data to development databases should be documented, implemented and followed.
V-15143 Medium Database data encryption controls should be configured in accordance with application requirements.
V-3807 Medium All applications that access the database should be logged in the audit trail.
V-15144 Medium Sensitive data is stored in the database and should be identified in the System Security Plan and AIS Functional Architecture documentation.
V-15146 Medium The DBMS should not be operated without authorization on a host system supporting other application services.
V-15148 Medium DBMS network communications should comply with PPS usage restrictions.
V-15121 Medium DBMS software libraries should be periodically backed up.
V-15120 Medium DBMS backup and restoration files should be protected from unauthorized access.
V-15127 Medium The IAM should review changes to DBA role assignments.
V-6767 Medium The database should be secured in accordance with DoD, vendor and/or commercially accepted practices where applicable.
V-15659 Medium Credentials used to access remote databases should be protected by encryption and restricted to authorized users.
V-15618 Medium Access to external DBMS executables should be disabled or restricted.
V-3862 Medium The Oracle INBOUND_CONNECT_TIMEOUT and SQLNET.INBOUND_CONNECT_TIMEOUT parameters should be set to a value greater than 0.
V-3863 Medium The Oracle SQLNET.EXPIRE_TIME parameter should be set to a value greater than 0.
V-3803 Medium A production DBMS installation should not coexist on the same DBMS host with other, non-production DBMS installations.
V-15139 Medium Plans and procedures for testing DBMS installations, upgrades and patches should be defined and followed prior to production implementation.
V-3842 Medium The Oracle software installation account should not be granted excessive host system privileges.
V-57609 Medium The directory assigned to the AUDIT_FILE_DEST parameter must be protected from unauthorized access and must be stored in a dedicated directory or disk partition separate from software or other application files.
V-3825 Medium Remote adminstrative connections to the database should be encrypted.
V-15129 Medium Backup and recovery procedures should be developed, documented, implemented and periodically tested.
V-3809 Medium A single database connection configuration file should not be used to configure all database clients.
V-16056 Medium Oracle Configuration Manager should not remain installed on a production system.
V-16057 Medium The SQLNet SQLNET.ALLOWED_LOGON_VERSION parameter should be set to a value of 10 or higher.
V-16054 Medium The Oracle SEC_PROTOCOL_ERROR_TRACE_ACTION parameter should not be set to NONE.
V-15662 Medium Remote administration of the DBMS should be restricted to known, dedicated and encrypted network addresses and ports.
V-5659 Medium The latest security patches should be installed.
V-15649 Medium The DBMS should have configured all applicable settings to use trusted files, functions, features, or other components during startup, shutdown, aborts, or other unplanned interruptions.
V-15108 Medium Privileges assigned to developers on shared production and development DBMS hosts and the DBMS should be monitored every three months or more frequently for unauthorized changes.
V-15112 Low The DBMS should be periodically tested for vulnerability management and IA compliance.
V-3728 Low Unused database components, database application software, and database objects should be removed from the DBMS system.
V-3866 Low The Oracle Management Agent should be uninstalled if not required and authorized or is installed on a database accessible from the Internet.
V-15150 Low The DBMS requires a System Security Plan containing all required information.
V-16031 Low The Oracle listener.ora file should specify IP addresses rather than host names to identify hosts.
V-3805 Low Application software should be owned by a Software Application account.
V-15622 Low DBMS service identification should be unique and clearly identifies the service.
V-2420 Low Database executable and configuration files should be monitored for unauthorized modifications.
V-3726 Low Configuration management procedures should be defined and implemented for database software modifications.
V-15145 Low The DBMS restoration priority should be assigned.
V-3845 Low OS DBA group membership should be restricted to authorized accounts.
V-15138 Low The DBMS IA policies and procedures should be reviewed annually or more frequently.
V-15611 Low The audit logs should be periodically monitored to discover DBMS access using unauthorized applications.